We have recently released new versions of our Joomla Client (v1.12.2), WordPress Client (v1.0.2) & the SSO Plugin for Joomla (v1.3).
New Joomla & WordPress Clients
The updated Joomla and WordPress clients improve the way we authenticate calls from the Watchful server so as to avoid a theoretical timing attack: http://php.net/manual/en/function.hash-hmac.php#111435).
New SSO Plugin
The new SSO plugin changes the way we hash passwords. This prevents Watchful from “seeing” your passwords during SSO authentication attempts.
With the previous plugin your password was encrypted with AES256 on your site and then sent to the Watchful server. Once received, Watchful decrypted the password and immediately hashed it before storing it in the database. Importantly, the password was never stored unencrypted in our database nor in any log file).
With the new SSO plugin, the remote site hashes the password and encrypts it with AES256 before sending it to Watchful server. Once received, the password is decrypted and the hashed password compared with the SSO user password.
Is my site secure with previous versions of the Watchful Client and SSO plugin?
Previous versions are secure, but we recommend that you update to the new versions. We continue to improve our services by following better security practices, but the original method was never compromised and we have been unable to penetrate Watchful using the original clients/plugin.
Are there any post-update tasks?
If you currently use the SSO plugin, you will need to reconnect each SSO users from a website that still use the previous version, or you will need to set new passwords for each SSO user from the Watchful dashboard.
If you have successfully logged in with an SSO user on or after April 9, 2018 then your SSO user is already set the new plugin.
Is this a security release?
No, it’s an improvement in the authentication process. The security of your website was never compromised.